diff --git a/src/backend/src/services/WebServerService.js b/src/backend/src/services/WebServerService.js
index 1dc68cf40..0960bbc66 100644
--- a/src/backend/src/services/WebServerService.js
+++ b/src/backend/src/services/WebServerService.js
@@ -362,13 +362,12 @@ class WebServerService extends BaseService {
         app.use(helmet.xssFilter());
         // app.use(helmet.referrerPolicy());
         app.disable('x-powered-by');
-    
+        
         const uaParser = require('ua-parser-js');
         app.use(function (req, res, next) {
             const ua_header = req.headers['user-agent'];
             const ua = uaParser(ua_header);
             req.ua = ua;
-            console.log('\x1B[26;1m===== UA =====\x1B[0m', ua);
             next();
         });
 
@@ -382,11 +381,20 @@ class WebServerService extends BaseService {
         app.use(function (req, res, next) {
             const origin = req.headers.origin;
             
-            const is_site = req.hostname.endsWith(config.static_hosting_domain);
+            const is_site =
+                req.hostname.endsWith(config.static_hosting_domain) ||
+                req.hostname === 'docs.puter.com'
+                ;
             const is_popup = !! req.query.embedded_in_popup;
-            
-            const co_isolation_okay = !is_popup && (is_site || req.co_isolation_enabled);
-            
+            const is_parent_co = !! req.query.cross_origin_isolated;
+            const is_app = !! req.query['puter.app_instance_id'];
+
+            const co_isolation_okay =
+                (!is_popup || is_parent_co) &&
+                (is_app || !is_site) &&
+                req.co_isolation_enabled
+                ;
+
             if ( req.path === '/signup' || req.path === '/login' ) {
                 res.setHeader('Access-Control-Allow-Origin', origin ?? '*');
             }
diff --git a/src/gui/src/IPC.js b/src/gui/src/IPC.js
index 1010601b2..356e72e06 100644
--- a/src/gui/src/IPC.js
+++ b/src/gui/src/IPC.js
@@ -497,6 +497,11 @@ window.addEventListener('message', async (event) => {
         if(!window.menubars[event.data.appInstanceID])
             window.menubars[event.data.appInstanceID] = value.items;
 
+        // disable system context menu
+        $menubar.on('contextmenu', (e) => {
+            e.preventDefault();
+        });
+
         const sanitize_items = items => {
             return items.map(item => {
                 // Check if the item is just '-'
diff --git a/src/puter-js/src/modules/UI.js b/src/puter-js/src/modules/UI.js
index 8a3fe496a..f56084167 100644
--- a/src/puter-js/src/modules/UI.js
+++ b/src/puter-js/src/modules/UI.js
@@ -468,7 +468,7 @@ class UI extends EventListener {
                 let fpath = URLParams.get('puter.item.path');
 
                 if(!fpath.startsWith('~/') && !fpath.startsWith('/'))
-                    fpath = '~/' + fpath
+                    fpath = '~/' + fpath;
 
                 callback([new FSItem({
                     name: URLParams.get('puter.item.name'),